Overview

overview

10

Static

static

86c85206d1...34.exe

windows7_x64

10

86c85206d1...34.exe

windows10_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-08-2021 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe

  • Size

    461KB

  • MD5

    f0fc2455a7cdd023373fd6bef8b066b1

  • SHA1

    9e2a0536d71a558a1b3a0fd76bcb9f79670fdb16

  • SHA256

    86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134bcec227df7ae8cc2b0d

  • SHA512

    c04638b18de0067dacbcf8a0c6547d3cec0bc0e6af8062ba3a26e10c1a888e05658669b5e4530a75d2ef646a7fa64e60a433b54b7d409648ea44eee5011f6ee6

Score
10/10
raccooncd8dc1031358b1aec55cc6bc447df1018b068607stealer

Malware Config

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe
    "C:\Users\Admin\AppData\Local\Temp\86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe"
    1⤵
      PID:2016
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 736
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 748
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4052
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 712
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 884
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 552
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1972

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2016-114-0x0000000002E00000-0x0000000002F4A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2016-115-0x0000000000400000-0x0000000002CA9000-memory.dmp
      Filesize

      40.7MB

      Download